This article provides information about NAT Traversal (NAT-T) supported scenarios.

• IS NAT-T supported on SRX devices?


• LAN to LAN VPN.


• Dynamic VPN.

 

This article applies to all Junos versions up to and including 11.4.

Note: In the following scenarios, the SRX is the server and the client is the other peer device.

Supported scenarios:

1. Client behind the NAT device is trying to establish VPN with a server on the Internet:
   
   

   Client (Private IP)---NAT-device---INTERNET CLOUD---Server(Public IP address)



2. Single/many clients are trying to establish VPN through two outbound NATdevices to the VPN server on the Internet:
   
   

   code>Client (Private IP)---NAT1-device----NAT2-device----INTERNET CLOUD---Server(Public IP address)



3. Multiple clients with the same private IP address and each behind their own NAT device, are trying to establish VPN with a server on the Internet:
   
   

   Client1 (Private IP)---NAT1-device---INTERNET CLOUD---Server(Public IP address)
Client2 (Private IP)---NAT2-device---INTERNET CLOUD---Server(Public IP address)

Supported scenarios with JUNOS 11.4R1 and later (NAT devices perform a static 1-to-1 NAT from public to private address):

1. Client having Public IP addresses are trying to establish VPN with a server behind the NAT device:  

   Client (Internet IP)---INTERNET CLOUD---NAT-device----Server(Private IP address)



2. Client behind a NAT device is trying to establish VPN with a server behind the NAT device:

   Client (Private IP)---NAT-device---INTERNET CLOUD---NAT-device----Server(Private IP address



3. Gateway to Gateway tunnel over NAT:
   
   

   Server1 (Private IP)---NAT-device---INTERNET CLOUD---NAT-device----Server2(Private IP address)

This issue is addressed in 11.4R1.